Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Scareware, Black Hat SEO and You

The scareware and rogue AV problem that initially appeared a few years ago and has since found its way onto thousands and thousands of legitimate Web sites, including The New York Times home page, has now reached epidemic levels. The scams are mostly boilerplate and well-understood, but it’s not often that we get to take a peek behind the curtain and see the inner workings of the schemes. Here’s just such a chance.

The scareware and rogue AV problem that initially appeared a few years ago and has since found its way onto thousands and thousands of legitimate Web sites, including The New York Times home page, has now reached epidemic levels. The scams are mostly boilerplate and well-understood, but it’s not often that we get to take a peek behind the curtain and see the inner workings of the schemes. Here’s just such a chance.

In a fascinating post, Bojan Zdrnja of the SANS Internet Storm Center, has detailed exactly how one specific rogue AV attack works and exposed the methods that the attackers are using to gain victims and plant their malware on legitimate sites. The analysis started with the acquisition of a heavily obfuscated PHP script, which, after analysis, turned out to be the main script used by one particular rogue AV gang.

The attackers are placing that obfuscated script on legitimate sites running on Apache with PHP, and are taking advantage of mis-configurations or vulnerabilities in the Web server to install the script. Meanwhile, the attackers also are using one or perhaps a handful of master servers to search Google and see what keywords are trending as the most popular at the moment. Those are the keywords that the gang wants to target with the spam and rogue AV campaign.

Once the best keywords are identified, the attackers then place links containing those words on the sites that they have previously compromised. Then, as the search engines crawl the owned sites, the master PHP script phones home to the attackers’ C&C server and retrieves a dynamically generated page that contains a slew of phrases containing the specific keyword in use, as well as links to other compromised sites, Zdrnja wrote in his analysis.

“In step 2, besides spammed links, search engine crawlers will also visit
compromised web sites. Now an interesting thing happens that helps
poison the results: when the script detects a visit from a search engine
crawler, but without the required poisoned parameters,
the PHP script by the attackers will return the original requested web
page, but with concatenated links to other compromised web sites that it
has in the local database,” Zdrnja wrote.

The idea is to link all of their compromised sites together as a way to increase their rankings with Google, because that’s the key to the entire game. The higher they can move their owned sites up in the rankings, the more potential victims they’ll get visiting those sites. And more visitors of course means more money extracted through the rogue AV and scareware scams.

The end result of all of these machinations is that the potential victim is presented with a dialog box with one of the all-too-familiar warnings that his PC is infected with malware and he needs to pay a $50 or $75 license fee to clean it. It’s a well-worn tactic, but it’s been working very, very well for the attackers and they’re not much for leaving money on the table.

But these scams obviously don’t succeed without two key elements: vulnerable Web sites and gullible end users. Unfortunately, both are in ready supply.

Hhe article's content rich variety which make us move for our mood after reading this article. surprise, here you will find what you want! Recently, I found some wedsites which commodity is colorful of fashion. Such as xxxxxxxx that worth you to see. Believe me these websites won’t let you down.

Well , the view of the passage is totally correct ,your details is really reasonable and you guy give us valuable informative post, I totally agree the standpoint of upstairs. I often surfing on this forum when I m free and I find there are so much good information we can learn in this forum!

The Ministry of railways announced the latest Financial Secretary of the
Ministry of railways main financial and operating data of the first quarter of
2011 report,BALENCIAGA
WOMEN HAND BAG the Ministry of railways owned transport enterprises
first quarter loss of $ 3.76 billion in 2011. Yesterday, this newspaper to
verify data authenticity is confirmed when the Ministry of railways. Ministry of
railways said diesel,discount
Burberry Handbag steel materials, accessories, maintenance and other raw
materials prices rose is the main reason for the loss,BALENCIAGA
WOMEN HAND BAG and investments of 200 billion messages are not accurate.
Video: long said the Ministry of railways Railway Enterprise liabilities 1.8
trillion Financial data on a report published in the Shanghai clearing house Web
site.BALENCIAGA
WOMEN HAND BAG It is understood that the "Shanghai clearing" Clearing
Corporation trademark is the interbank market, is approved by the Ministry of
finance, cheap
Chloe Handbag people's Bank of China to set up specialized clearing houses.
By frequently issuing bonds this year,BALENCIAGA
WOMEN HAND BAG the Ministry of railways by the required disclosure of
relevant financial data.Christian
Audigier on sale Handbag According to the Ministry of railways of the report
of the main financial and operating data of the first quarter of 2011, railway
operating revenues in the transport sector is 155.8 billion yuan,BALENCIAGA
WOMEN HAND BAG the total cost (including tax) of 159.56 billion yuan,
profit loss of $ 3.76 billion.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.